Does my society’s website have to respect the rights and obligations ensued from the General Data Protection Regulation ?

The choir « chantons en cœur », constituted in a society and located in the middle of the vineyards of Lavaux, manages a website presenting the activities and the following concerts in the region.

A new chorister, an only recently retired lawyer, is so bored that she begs the committee to take her within : « Be assured that I will be very helpful ».

Shortly afterwards, she presents to the committee a large number of articles of the law. It is absolutely necessary to verify that the website is in conformity with the new regulation, which she has heard a lot about lately, the « GDPR ».

Hailed, the society’s president reassured his members. He knows the new regulation very well, which does not apply to the society’s website, as it is just a showcase of the choir’s activities, whose members live furthermore all in Switzerland.

Even if residents of the European Union would visit the choir’s website, this one does not have to respect the European regulation (the GDPR ), as we offer neither good or service for their attention, nor to anyone. Indeed, the website only delivers information.

Recommendations

The European regulation foresees that the processing of personal data of European residents by a processing manager or a subcontractor who does not reside in the Union can be applied, when the processing activities are linked to the offer of goods and services to these people (whether a payment is required or not) or to the monitoring of these people’s behaviour in the Union. In the first assumption, it was agreed that there must be a will to process personal data of European residents, so that occasional or purely circumstantial processing, such as, as it happens, the consulting of a website and therefore the IP address processing, does not suffice.

Basic principles

application of the GDPR (art. 3 GDPR)

Resources

See the guide of the PFPDT (Federal Data Protection and Information Commissioner), the GDPR and its consequences for Switzerland.